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1 DISK DRIVE EMPLOYING A DISK WITH A PRISTINE AREA FOR STORING 

2 ENCRYPTED DATA ACCESSIBLE ONLY BY TRUSTED DEVICES OR CLIENTS TO 

3 FACILITATE SECURE NETWORK COMMUNICATIONS 

4 

5 CROSS-REFERENCE TO RELATED PATENTS AND APPLICATIONS 

6 This patent application is related to other co-pending U.S. patent applications. Namely, 

7 U.S. patent application serial no. 09/608,103 entitled "SECURE DISK DRIVE COMPRISING A 

8 SECURE DRIVE KEY AND A DRIVE ID FOR IMPLEMENTING SECURE 

9 COMMUNICATION OVER A PUBLIC NETWORK," and serial no. 09/608,102 entitled "DISK 

10 DRIVE IMPLEMENTING KEY MANAGEMENT FOR GENERATING AND 

11 DECOMMISSIONING CLIENT KEYS SUPPLIED TO CLIENT COMPUTERS TO 

12 FACILITATE SECURE COMMUNICATION OVER A PUBLIC NETWORK." 
13 

14 BACKGROUND OF THE INVENTION 

15 

16 Field of the Invention 

17 The present invention relates to disk drives for computer systems. More particularly, the 

18 present invention relates to a disk drive employing a disk with a pristine area for storing 

19 encrypted data accessible only by trusted devices or clients to facilitate secure network 

20 communications. 

21 Description of the Prior Art 

22 Cryptography for secure network communications is typically implemented by server and 

23 client computers attached to a network. With Internet communications, for example, 

24 cryptography is typically implemented by the server computers hosting secure web sites and the 

25 browser programs running on client computers. A secure communication protocol, such as the 

26 Secure Socket Layer (SSL), is used to transmit encrypted messages over public lines subject to 

27 inspection. If an encrypted message is intercepted while in transit, it is extremely difficult to 
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1 decipher the message without the cryptographic key. For this reason, attackers are focusing their 

2 efforts on the computers which implement the cryptography algorithms in an attempt to glean 

3 information about the secret cryptographic keys used for the authentication and the 

4 encryption/decryption operations. The attacks may be physical using debuggers and logic 

5 analyzers, or they may be remote attacks using virus programs which invade the computer's 

6 operating system in order to obtain information concerning the cryptographic keys. A virus may, 

7 for example, be introduced remotely into a computer's operating system by attaching the virus to 

8 an email. 

9 A paper by H. Gobioff, G. Gibson, and D. Tygar entitled "Security for Network Attached 

10 Storage Devices", October 23 1997, School of Computer Science, Carnegie Mellon University, 

11 suggests to implement cryptography algorithms and secret keys in tamper resistant circuitry 

12 within a disk drive where it is less susceptible to probing and virus attacks. These types of disk 

13 drives, referred to as NASD disk drives, are intended to be attached directly to a network in order 

14 to avoid the overhead associated with an intervening file server. However, the above referenced 

15 paper does not disclose many details of implementation, particularly with respect to the 

1 6 authentication and encryption/decryption operations . 

17 The Digital Transmission Content Specification or DTCP (available through the Internet 

18 at http:/ /www.dtcp.com ) discloses a cryptographic protocol for protecting audio/video (A/V) 

19 content from unauthorized copying as it traverses digital transmission mechanisms from device 

20 to device. Only compliant devices manufactured to support the DTCP protocol are capable of 

21 transmitting or receiving the protected A/V content. Each device is manufactured with a unique 

22 device ID and a public/private key pair which facilitate authentication and encryption/decryption 

23 of the A/V content. The DTCP specification suggests to store the private key in a way so as to 

24 prevent its disclosure, however, no specific means are disclosed for achieving this objective. 

25 U.S. Patent No. 5,931,947 discloses a network storage device for use in a secure array of 

26 such devices to support a distributed file system. Each device is an independent repository of 

27 remotely encrypted data to be accessed by authorized network clients. All encryption is done by 
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1 the clients, rather than by the devices, and the encrypted data is stored in encrypted form. Each 

2 network storage device comprises an owner key used to generate authentication keys within the 

3 device for authenticating messages received from the clients. However, the keys used by the 

4 clients for encrypting data and generating the message authentication codes are generated 

5 external to the devices by a system administrator which is susceptible to attack. Further, the 

6 aforementioned patent does not disclose any details concerning the privacy of the owner key 

7 within each disk drive. 

8 U.S. Patent No. 5,687,237 discloses an encryption key management system for an 

9 integrated circuit which encrypts or decrypts data received from a microcontroller. The 
10 encryption and decryption operations are implemented using cryptographic keys stored in a non- 
11 volatile memory in encrypted form to protect against discovery. When needed to encrypt or 

12 decrypt data, the integrated circuit employs a secret internal key to decrypt the cryptographic 

13 keys stored in the non- volatile memory. Although storing the cryptographic keys in encrypted 

14 form protects against discovery, the aforementioned patent does not disclose any details 

15 concerning the authentication of users or devices requesting the encryption or decryption 

16 operations, nor does it disclose any details concerning the authentication of messages to verify 

17 that the messages have not been modified while in transit over public lines. 

18 There is, therefore, the need to improve security in network communications, particularly 

19 with respect to probing attacks and virus attacks on computer operating systems. 

20 SUMMARY OF THE INVENTION 

21 The present invention may be regarded as a disk drive comprising a disk for storing data, 

22 the disk comprising a public area for storing plaintext data and a pristine area for storing 

23 encrypted data. The disk drive comprises a head for reading the encrypted data from the pristine 

24 area of the disk, and a control system for controlling access to the pristine area of the disk. 

25 Authentication circuitry within the disk drive is provided for authenticating a request received 

26 from an external entity to access the pristine area of the disk and for enabling the control system 

27 if the request is authenticated. The disk drive further comprises a secret drive key, and 
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1 decryption circuitry responsive to the secret drive key, for decrypting the encrypted data stored in 

2 the pristine area of the disk. 

3 The present invention may also be regarded as a disk drive comprising a disk for storing 

4 data, the disk comprising a public area for storing plaintext data and a pristine area for storing 

5 encrypted data. The disk drive comprises a head for reading data from the disk, and a control 

6 system for controlling access to the disk. The disk drive further comprises a secret drive key, 

7 and decryption circuitry responsive to the secret drive key, for decrypting the encrypted data 

8 stored in the pristine area of the disk to generate decrypted data. The decrypted data is processed 

9 by authentication circuitry within the disk drive for authenticating a request received from an 

10 external entity to access the disk and for enabling the control system if the request is 

1 1 authenticated. 

12 The present invention may also be regarded as a disk drive comprising a disk for storing 

13 data, the disk comprising a public area for storing plaintext data and a pristine area for storing 

14 encrypted data. The disk drive comprises a head for reading the encrypted data from the pristine 

15 area of the disk, and a control system for controlling access to the pristine area of the disk. The 

16 disk drive further comprises a secret drive key, and decryption circuitry responsive to the secret 

17 drive key, for decrypting the encrypted data stored in the pristine area of the disk. The disk 

18 comprises a plurality of physical blocks accessed by the control system through physical block 

19 addresses. An access request received from an external entity during normal operation of the 

20 disk drive comprises a logical block address which is mapped by the control system to a selected 

21 one of the physical block addresses. The pristine area comprises at least one physical block 

22 written with at least part of the encrypted data during manufacturing of the disk drive and not 

23 externally accessible through a logical block address during normal operation of the disk drive. 

24 The present invention may also be regarded as a method of processing a request received 

25 by a disk drive from an external entity to access encrypted data stored in a pristine area of a disk. 

26 The method comprises the steps of authenticating the request to access the pristine area and 

27 enabling access to the pristine area if the request is authenticated, reading the encrypted data 
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1 stored in the pristine area, and decrypting the encrypted data using a secret drive key within the 

2 disk drive to generate decrypted data. 

3 The present invention may also be regarded as a method of processing a request received 

4 by a disk drive from an external entity to access data stored on a disk, the disk comprising a 

5 public area for storing plaintext data and a pristine area for storing encrypted data. The method 

6 comprises the steps of decrypting the encrypted data stored in the pristine area of the disk using a 

7 secret drive key within the disk drive to generate decrypted data, and using the decrypted data to 

8 authenticate the request received from the external entity before allowing access to the disk. 

9 BRIEF DESCRIPTION OF THE DRAWINGS 

10 FIG. 1 shows a disk drive according to an embodiment of the present invention 

1 1 comprising a disk having a public area for storing plaintext data and a pristine area for storing 

12 encrypted data, decryption circuitry for decrypting the encrypted data, a secret drive key 

13 employed by the decryption circuitry, and authentication circuitry for authenticating requests by 

14 external entities to access the pristine area. 

15 FIG. 2 shows a disk drive according to an embodiment of the present invention wherein 

16 the authentication circuitry is responsive to decrypted data generated by the decryption circuitry 

17 after decrypting the encrypted data stored in the pristine area of the disk. 

18 FIG. 3 shows an embodiment of the present invention wherein the authentication circuitry 

19 implements a challenge and response protocol in order to verify the authentication of a user or a 

20 device, wherein the pristine area on the disk is used to store data employed in the challenge and 

21 response protocol. 

22 FIG. 4 shows a disk format according to an embodiment of the present invention as 

23 comprising a plurality of physical blocks in the pristine area which are written with encrypted 

24 data during manufacturing and are not externally accessible during normal operation of the disk 

25 drive. 

26 DESCRIPTION OF THE PREFERRED EMBODIMENTS 

27 FIG. 1 shows a disk drive 2 according to an embodiment of the present invention 
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1 comprising a disk 4 for storing data, the disk 4 comprising a public area 6 for storing plaintext 

2 data and a pristine area 8 for storing encrypted data. The disk drive 2 comprises a head 10 for 

3 reading the encrypted data from the pristine area 8 of the disk 4, and a control system 12 for 

4 controlling access to the pristine area 8 of the disk 4. Authentication circuitry 14 within the disk 

5 drive 2 is provided for authenticating a request received from an external entity to access the 

6 pristine area 8 of the disk 4 and for enabling the control system 12 if the request is authenticated. 

7 The disk drive 2 further comprises a secret drive key 16, and decryption circuitry 18 responsive 

8 to the secret drive key 16, for decrypting the encrypted data stored in the pristine area 8 of the 

9 disk 4. 

10 In the embodiment of FIG. 1, the disk drive further comprises a preamplifier 20 for 

11 generating an analog write signal 22 supplied to the head 10 during a write operation and for 

12 receiving an analog read signal 22 from the head 10 during a read operation. The preamplifier 20 

13 receives digital write data 24 from the control system 12 which is to be written to the disk 4, 

14 wherein the digital write data 24 modulates current in the analog write signal 22 and thus the 

15 head 10 in order to write a series of magnetic transitions on the surface of the disk 4 representing 

16 the recorded digital data. During a read operation, the head 10 senses the magnetic transitions 

17 which induces pulses in the analog read signal 22. The preamplifier 20 preamplifies the analog 

18 read signal 22 and the preamplified analog read signal 26 is supplied to the control system 12 

19 where it is demodulated into an estimated data sequence representing the originally recorded 

20 data. In one embodiment, the control system 12 implements an error correction code (ECC) for 

21 use in detecting and correcting errors in the estimated digital data induced by the recording and 

22 reproduction process. The control system 12 sends control sequences to the preamplifier 20 over 

23 line 28 in order to configure it for write or read operations. 

24 In the embodiment of FIG. 1, the head 10 is mounted on the distal end of an actuator arm 

25 32 which is rotated about a pivot 34 by a voice coil motor (VCM not shown). The control 

26 system 12 comprises a servo control system for generating control signals 36 applied to the VCM 

27 in order to position the head radially over the disk 4 so as to access a desired area of the disk 4 
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1 during write and read operations. The control system 12 will access the pristine area 8 and allow 

2 a write or read operation only if certain predetermined conditions are satisfied. 

3 In one embodiment of the present invention, the disk drive 2 receives requests from 

4 external entities (e.g., a host or client computer) to access the pristine area 8. The control system 

5 12 allows the access only if the request is authenticated by the authentication circuitry 14. For 

6 example, the pristine area 8 may store sensitive information (e.g., a password, credit card 

7 number, etc.) for use in a secure transaction with an Internet web site. This information is stored 

8 in the pristine area 8 in encrypted form so that it cannot be discovered by an attacker evaluating 

9 the disk storage medium. In addition, the pristine area 8 is protected from access through normal 

10 operation of the disk drive 2 by requiring requests received from external entities to be 

1 1 authenticated. 

12 When the control system 12 receives via line 38 a request from an external entity to 

13 access the pristine area 8 (read or write), it sends a command via line 40 to the authentication 

14 circuitry 14 to authenticate the request. The authentication circuitry 14 evaluates the request and, 

15 if authentic, sends a command via line 42 to enable the control system 12 to perform the request. 

16 In one embodiment of the present invention, the authentication circuitry 14 enables the servo 

17 control system within control system 12 to restrict access to the pristine area 8. Embedded servo 

18 sectors are recorded on the disk 4, wherein the embedded servo sectors comprise servo bursts 

19 used for servoing the head over the disk 4. In one embodiment, the servo sectors are recorded in 

20 unencrypted form in the pristine area 8 such that servoing the head 10 by reading the servo bursts 

21 is possible if the disk 4 is removed and placed in another disk drive or on a spin stand. In 

22 another embodiment, the servo bursts are recorded in the servo sectors of the pristine area 8 in 

23 encrypted form to protect against an attacker removing the disk 4 and attempting to servo using 

24 an external apparatus. In one embodiment, the servo bursts are encrypted by recording the servo 

25 bursts with additive noise generated from a pseudo random sequence. The pseudo random 

26 sequence is generated using a polynomial, and the authentication circuitry provides the 

27 polynomial to the control system 12 to enable the servo control system to servo in the pristine 
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1 area 8. The additive noise in the servo bursts is subtracted from the read signal by regenerating 

2 the pseudo random sequence. In one embodiment, the polynomial for regenerating the pseudo 

3 random sequence is stored in encrypted form in the pristine area 8 of the disk 4, preferably in a 

4 physical block which is inaccessible to an external entity as described in greater detail below 

5 with reference to FIG. 4. 

6 In another embodiment of the present invention shown in FIG. 2, the authentication 

7 process is implemented using the encrypted data stored in the pristine area 8. The encrypted data 

8 is read from the disk 4 by the control system 12, decrypted by the decryption circuitry 18 using 

9 the secret drive key 16, and the decrypted data transferred over line 44 to the authentication 

10 circuitry 14. 

11 The authentication circuitry 14 may perform user/device authentication, message 

12 authentication, or user/device as well as message authentication. With user/device 

13 authentication, the authentication circuitry 14 verifies that the request was sent from a trusted 

14 entity, and with message authentication, the authentication circuitry 14 verifies that the request 

15 was not modified while in transit from the external entity to the disk drive 2. 

16 User/device authentication may be implemented, for example, by associating selected 

17 information (e.g., a password, finger print, voice print, spectral signature, etc.) with a trusted 

18 entity. In one embodiment, user/device authentication information (e.g., a password) is stored in 

19 the pristine area 8 of the disk 4. When an external entity sends a request to access to the pristine 

20 area 8, the request received over line 38 comprises an entity ID and an entity password. The 

21 authentication circuitry 14 uses the entity ID to read the associated password from the pristine 

22 area 8, and the request is authenticated if it matches the entity password received in the request. 

23 Otherwise, the request is not authenticated and access is denied. 

24 The user/device authentication information (e.g., password) is stored in the pristine area 8 

25 in encrypted form using a suitable encryption algorithm (e.g., DES, RSA, etc.) which may be 

26 symmetric (private key encryption) or asymmetric (public key encryption). The decryption 

27 circuitry 18 within the disk drive 2 uses the secret drive key 16 to decrypt the encrypted 
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1 authentication information, and the decrypted authentication information is provided to the 

2 authentication circuitry 14 over line 44 (FIG. 2). A suitable means is employed to protect the 

3 secret drive key 16 from discovery, such as tamper resistant circuitry. In addition, all or part of 

4 the control system 12 and/or the authentication circuitry 14 may be implemented using tamper 

5 resistant circuitry to protect the decrypted authentication data. An example discussion of tamper- 

6 resistant circuitry is provided in Tygar, J.D. and Yee, B.S., "Secure Coprocessors in Electronic 

7 Commerce Applications," Proceedings 1995 USENIX Electronic Commerce Workshop, 1995, 

8 New York, which is incorporated herein by reference. 

9 In the above referenced co-pending patent application entitled "SECURE DISK DRIVE 

10 COMPRISING A SECURE DRIVE KEY AND A DRIVE ID FOR IMPLEMENTING SECURE 

11 COMMUNICATION OVER A PUBLIC NETWORK," a nexus of secure disk drives are 

12 manufactured in a way that enables secure network communication between the drives. In one 

13 embodiment, each secure disk drive is manufactured with a secure drive key and a unique drive 

14 ID which are used for identification and authentication. When the network detects that one of the 

15 secure disk drives has been compromised, its drive ID is invalidated. Each secure disk drive in 

16 the nexus stores a list of invalidated drive IDs. If a secure disk drive receives a request from a 

17 disk drive with an invalid drive ID, the request is denied. 

18 In one embodiment of the present invention, the list of invalidated drive IDs is stored in 

19 encrypted form in the pristine area 8 of the disk 4 within each secure disk drive. When a request 

20 is received over line 38 from a secure disk drive in the nexus, the list of invalidated drive IDs is 

21 read from the pristine area 8, decrypted by the decryption circuitry 18 using the secret drive key 

22 16, and transmitted over line 44 (FIG. 2) to the authentication circuitry 14. The authentication 

23 circuitry 14 authenticates the secure disk drive (device) by comparing the drive ED received in 

24 the request to the list of invalidated drive IDs. In one embodiment, the list of invalidated drive 

25 IDs is encrypted according to a message authentication code to protect against attempts to 

26 modify the list, wherein the list itself is stored in unencrypted form. Thus, the term "encrypted 

27 data" as used herein includes encryption using a message authentication code. 
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1 The drive ID in each secure disk drive may also be stored in the pristine area 8 in 

2 encrypted form. When a secure disk drive generates a request, the drive ID is read from the 

3 pristine area 8, decrypted by the decryption circuitry 18 using the secret drive key 16, and 

4 appended to the request. 

5 In an alternative embodiment of the present invention shown in FIG. 3, the pristine area 8 

6 stores information used to implement a suitable challenge and response sequence. A challenge 

7 and response sequence is used to authenticate an external entity by sending a random challenge 

8 value to the external entity; the external entity is authenticated if it replies with the appropriate 

9 response value. In one embodiment, the pristine area 8 stores information used to generate the 

10 random challenge value sent to an external entity as well as information for verifying the 

11 response value received from the external entity. In another embodiment, the pristine area 8 

12 stores information used to generate the response value for replying to a challenge received from 

13 an external entity. The challenge and response information is stored in encrypted form in the 

14 pristine area 8, decrypted by the decryption circuitry 18 using the secret drive key 16, and the 

15 decrypted data transferred to the authentication circuitry 14 over line 44. 

16 The authentication circuitry 14 may also be used to authenticate a request (message) 

17 received from an external client to verify that the request was not modified while in transit. In 

18 one embodiment, a message authentication code (MAC) is generated and appended to the 

19 request. The request is then authenticated by regenerating the MAC and comparing the 

20 regenerated MAC to the MAC appended to the request. If the request has not been modified 

21 while in transit, the regenerated MAC will match the MAC appended to the request. Any 

22 suitable method may be employed to generate the MAC, for example, using a hashing function 

23 implemented with or without a secret key. The pristine area 8 is used to store information in 

24 encrypted form for use in generating the MAC, such as a hashing function and/or a secret key 

25 used with the hashing function. The MAC information is read from the pristine area 8, decrypted 

26 by the decryption circuitry 18 using the secret drive key 16, and transferred to the authentication 

27 circuitry 14 over line 44 (FIG. 2). 
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1 In another embodiment of the present invention, the pristine area 8 of the disk 4 stores an 

2 encrypted secret key for use in decrypting a message received over line 38 from an external 

3 entity. The encrypted secret key is read from the pristine area 8 and decrypted by the decryption 

4 circuitry 18 using the secret drive key 16. The decrypted secret key is then used by the 

5 decryption circuitry 18 to decrypt the message received over line 38. This embodiment may 

6 facilitate a distributed key management system for a network of computer devices. 

7 In yet another embodiment of the present invention, the pristine area 8 of the disk 4 stores 

8 encrypted message data. An external entity (e.g., a host, client or server) may send a request to 

9 the disk drive 2 to store sensitive information (e.g., a credit card number) in the pristine area 8 in 

10 encrypted form. The information may already be encrypted before receipt by the disk drive 2, or 

11 it may be encrypted by the disk drive 2 before it is written to the pristine area 8. A subsequent 

12 request may then be sent to the disk drive 2 to read the encrypted message stored in the pristine 

13 area 8. The disk drive 2 will authenticate the request before allowing access to the pristine area 

14 8, and optionally decrypt the message before transferring it to the external entity. 

15 In another embodiment of the present invention, the disk drive 2 of FIG. 1 authenticates a 

16 request received from an external entity to access the public area 6 of the disk 4 (read or write). 

17 This embodiment provides additional protection in that all requests to access the disk 4, 

18 including requests to access the public area 6, must first be authenticated. As with the previously 

19 disclosed embodiments, this embodiment implements user/device authentication, and optionally 

20 message authentication, using encrypted authentication data stored in the pristine area 8 of the 

21 disk 4. 

22 FIG. 4 illustrates another embodiment of the present invention wherein the disk 4 

23 comprises a plurality of physical blocks accessed by the control system using physical block 

24 addresses. An access request received from an external entity during normal operation of the 

25 disk drive 2 comprises a logical block address which is mapped by the control system 12 to a 

26 selected one of the physical block addresses. The pristine area 8 comprises at least one physical 

27 block written with at least part of the encrypted data during manufacturing of the disk drive 2 and 
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1 not externally accessible through a logical block address during normal operation of the disk 

2 drive 2. 

3 Each entry in the table of FIG. 4 represents a physical block recorded on the disk 4, where 

4 the first 40 entries (0-39) are the physical blocks reserved for the pristine area 8 and the next 110 

5 entries (40-149) are the physical blocks reserved for the public area 6. The first 20 physical 

6 bocks in the pristine area 8 are reserved for storing encrypted data which is inaccessible by 

7 external entities through a logical block address during normal operation of the disk drive 2. 

8 These physical blocks store encrypted data used internally by the disk drive 2, for example, 

9 encrypted authentication information for implementing a challenge and response verification 

10 sequence. The encrypted data is written to these physical blocks during manufacture of the disk 

11 drive 2 and accessed by the control system 12 using physical block addresses which are not 

12 mapped from logical block addresses. The next 20 physical blocks (20-39) in the pristine area 8 

13 are reserved for storing encrypted data which is accessible only by trusted external entities 

14 through logical block addresses, that is, after having been authenticated by the authentication 

15 circuitry 14. 

16 Partitioning the disk 4 into a public area 6 and a pristine area 8 improves the disk drive's 

17 performance. The disk drive's latency and throughput degenerate when accessing the pristine area 

18 8 due to the overhead associated with the decryption circuitry 1 8 decrypting the encrypted data as 

19 it is read from the pristine area 8. However, there are typically fewer accesses to the pristine area 

20 8 as compared to the public area 6. For example, authenticating a request received from an 

21 external entity may require only a few accesses to the pristine area 8, whereas the request itself 

22 may require multiple accesses (read or write) to the public area 6. 

23 The pristine area 8 may be used to store plaintext data as well as encrypted data, and the 

24 public area 6 may be used to store encrypted data as well as plaintext data. For example, it may 

25 be desirable to store plaintext data in the pristine area 8 in order to restrict access to the data 

26 without degrading the performance of the disk drive. In another embodiment, it may be desirable 

27 to store encrypted data in the public area 6 when restricting access to the encrypted data is not a 
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1 concern. 

2 In another embodiment of the present invention, a plurality of computer devices, 

3 including a plurality of disk drives, are interconnected in a computer network and communicate 

4 through a network protocol. Each disk drive comprises a disk having a public area 6 for storing 

5 plaintext data and a pristine area 8 for storing encrypted data. Further, each disk drive 

6 implements one or more of the aspects described above with respect to restricting access to the 

7 pristine area 8, storing encrypted authentication data in the pristine area 8, or partitioning the 

8 pristine area 8 into a number of physical blocks accessible by external entities and a number of 

9 physical blocks inaccessible by external entities. 
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1 WE CLAIM: 

1 1 . A disk drive 2 comprising: 

2 (a) a disk 4 for storing data, the disk 4 comprising a public area 6 for storing plaintext 

3 data and a pristine area 8 for storing encrypted data; 

4 (b) a head 10 for reading the encrypted data from the pristine area 8 of the disk 4; 

5 (c) a control system 12 for controlling access to the pristine area 8 of the disk 4; 

6 (d) authentication circuitry 14 for authenticating a request received from an external 

7 entity to access the pristine area 8 of the disk 4 and for enabling the control system 12 

8 if the request is authenticated; 

9 (e) a secret drive key 16; and 

10 (f) decryption circuitry 18, responsive to the secret drive key 16, for decrypting the 

1 1 encrypted data stored in the pristine area 8 of the disk 4 to generate decrypted data. 

1 2. The disk drive of claim 1, wherein the encrypted data comprises encrypted authentication 

2 data. 



1 3. The disk drive of claim 2, wherein the authentication circuitry is responsive to the 

2 decrypted data. 

1 4. The disk drive of claim 2, wherein the encrypted authentication data comprises encrypted 

2 user authentication data. 

1 5. The disk drive of claim 2, wherein the encrypted authentication data comprises encrypted 

2 device authentication data for authenticating a device, the device comprising a unique 

3 device ID configured during manufacture of the device. 

l 6. The disk drive of claim 2, wherein the encrypted authentication data comprises encrypted 
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2 information for implementing a challenge and response verification sequence. 

1 7. The disk drive of claim 2, wherein the encrypted authentication data comprises encrypted 

2 message authentication data. 

1 8. The disk drive of claim 7, wherein the encrypted authentication data comprises encrypted 

2 key data for generating a message authentication code. 

1 9. The disk drive of claim 1, wherein the encrypted data comprises encrypted key data for 

2 decrypting an encrypted message. 

1 10. The disk drive of claim 1, wherein the encrypted data comprises encrypted message data. 

1 11. The disk drive of claim 1, wherein the disk drive further comprises encryption circuitry 

2 for encrypting plaintext data into the encrypted data stored in the pristine area. 

1 12. The disk drive of claim 1, wherein: 

2 (a) the disk further comprises embedded servo sectors comprising servo bursts; 

3 (b) the control system comprises a servo control system responsive to the embedded 

4 servo sectors; and 

5 (c) the authentication circuitry enables the servo control system. 

1 13. The disk drive of claim 12, wherein: 

2 (a) the servo bursts are written to the disk in encrypted form; and 

3 (b) the authentication circuitry enables the servo control system to decrypt the servo 

4 bursts. 
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1 14. The disk drive of claim 13, wherein: 

2 (a) the servo bursts are written to the disk with additive noise generated from a pseudo 

3 random sequence; 

4 (b) the pseudo random sequence is generated from a polynomial; 

5 (c) the servo control system uses the polynomial to decrypt the servo bursts; and 

6 (d) the authentication circuitry provides the polynomial to the servo control system. 
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1 15. A disk drive comprising : 

2 (a) a disk for storing data, the disk comprising a public area for storing plaintext data and 

3 a pristine area for storing encrypted data; 

4 (b) a head for reading data from the disk; 

5 (c) a control system for controlling access to the disk; 

6 (d) a secret drive key; 

7 (e) decryption circuitry, responsive to the secret drive key, for decrypting the encrypted 

8 data stored in the pristine area of the disk to generate decrypted data; and 

9 (f) authentication circuitry, responsive to the decrypted data, for authenticating a request 

10 received from an external entity to access the disk and for enabling the control system 

1 1 if the request is authenticated. 
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1 16. A disk drive 2 comprising: 

2 (a) a disk 4 for storing data, the disk 4 comprising a public area 6 for storing plaintext 

3 data and a pristine area 8 for storing encrypted data; 

4 (b) a head 10 for reading the encrypted data from the pristine area 8 of the disk 4; 

5 (c) a control system 12 for controlling access to the pristine area 8 of the disk 4; 

6 (d) a secret drive key 16; and 

7 (e) decryption circuitry 18, responsive to the secret drive key, for decrypting the 

8 encrypted data stored in the pristine area 6 of the disk 4, 

9 wherein: 

10 the disk 4 comprises a plurality of physical blocks accessed by the control system through 

1 1 physical block addresses; 

12 a request received from an external entity during normal operation of the disk drive 

13 comprises a logical block address which is mapped by the control system to a 

14 selected one of the physical block addresses; and 

15 the pristine area comprises at least one physical block written with at least part of the 

16 encrypted data during manufacturing of the disk drive and not externally 

17 accessible through a logical block address during normal operation of the disk 

18 drive. 
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1 17. A method of processing a request received by a disk drive from an external entity to 

2 access encrypted data stored in a pristine area of a disk, the method comprising the steps 

3 of: 

4 (a) authenticating the request to access the pristine area and enabling access to the 

5 pristine area if the request is authenticated; 

6 (b) reading the encrypted data stored in the pristine area; and 

7 (c) decrypting the encrypted data using a secret drive key within the disk drive to 

8 generate decrypted data. 

1 18. The method as recited in claim 17, wherein the encrypted data comprises encrypted 

2 authentication data. 

1 19. The method as recited in claim 1 8, wherein the step of authenticating is responsive to the 

2 decrypted data. 

1 20. The method as recited in claim 1 8, wherein the encrypted authentication data comprises 

2 encrypted user authentication data. 

1 21 . The method as recited in claim 1 8, wherein the encrypted authentication data comprises 

2 encrypted device authentication data for authenticating a device, the device comprising a 

3 unique device ED configured during manufacture of the device. 

1 22. The method as recited in claim 1 8, wherein the encrypted authentication data comprises 

2 encrypted information for implementing a challenge and response verification sequence. 

1 23 . The method as recited in claim 1 8 , wherein the encrypted authentication data comprises 

2 encrypted message authentication data. 
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1 24. The method as recited in claim 23, wherein the encrypted authentication data comprises 

2 encrypted key data for generating a message authentication code. 

1 25. The method as recited in claim 17, wherein the encrypted data comprises encrypted key 

2 data for decrypting an encrypted message. 

1 26. The method as recited in claim 17, wherein the encrypted data comprises encrypted 

2 message data. 

1 27. The method as recited in claim 17, further comprising the step of encrypting plaintext 

2 data to generate the encrypted data stored in the pristine area. 

1 28. The method as recited in claim 17, wherein the disk further comprises embedded servo 

2 sectors comprising servo bursts, the method further comprising the steps of: 

3 (a) servoing a head over the disk in response to the embedded servo sectors; and 

4 (b) enabling servoing in the pristine area if the request is authenticated. 

1 29. The disk drive of claim 28, wherein: 

2 (a) the servo bursts are written to the disk in encrypted form; and 

3 (b) the step of authenticating the request to access the pristine area comprises the step of 

4 decrypting the servo bursts. 

1 30. The disk drive of claim 29, wherein: 

2 (a) the servo bursts are written to the disk with additive noise generated from a pseudo 

3 random sequence; 

4 (b) the pseudo random sequence is generated from a polynomial; and 
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(c) the step of servoing uses the polynomial to decrypt the servo bursts. 
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1 31. A method of processing a request received by a disk drive from an external entity to 

2 access data stored on a disk, the disk comprising a public area for storing plaintext data 

3 and a pristine area for storing encrypted data, the method comprising the steps of: 

4 (a) decrypting the encrypted data stored in the pristine area of the disk using a secret 

5 drive key within the disk drive to generate decrypted data; and 

6 (b) using the decrypted data to authenticate the request received from the external entity 

7 before allowing access to the disk. 
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1 DISK DRIVE EMPLOYING A DISK WITH A PRISTINE AREA FOR STORING 

2 ENCRYPTED DATA ACCESSIBLE ONLY BY TRUSTED DEVICES OR CLIENTS TO 

3 FACILITATE SECURE NETWORK COMMUNICATIONS 

4 

5 ABSTRACT OF THE DISCLOSURE 

6 A disk drive is disclosed comprising a disk for storing data, the disk comprising a public 

7 area for storing plaintext data and a pristine area for storing encrypted data. The disk drive 

8 comprises a head for reading the encrypted data from the pristine area of the disk, and a control 

9 system for controlling access to the pristine area of the disk. Authentication circuitry within the 

10 disk drive is provided for authenticating a request received from an external entity to access the 

11 pristine area of the disk and for enabling the control system if the request is authenticated. The 

12 disk drive further comprises a secret drive key, and decryption circuitry responsive to the secret 

13 drive key, for decrypting the encrypted data stored in the pristine area of the disk. 
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